1867898 - Utility processes on Linux should use namespace/chroot sandboxing where possible

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect, P2)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Currently, utility processes will use a seccomp-bpf sandbox, but will not attempt to unshare namespaces or chroot to a nonexistent directory for more isolation (if the OS allows us, which most distributions now do by default). We do this for most other child processes but it's not yet enabled for utility processes.

I should have caught this during review in bug 1731890, because the change to GetEffectiveSandboxLevel doesn't do anything without a change to its caller to use the return value in that case; my apologies for missing it.

I don't think this is really a security vulnerability, because we don't require the OS to allow unprivileged namespaces at all, and we generally try to make the seccomp-bpf policy stand alone as a sandbox. But this does mean that the utility sandbox, as commonly deployed, isn't as strong as may have been expected, so I'm hiding this out of an abundance of caution to get a second opinion.

Comment 1

[:gerard-majax]

Attachment: Bug 1867898 - Use more clone() flags for Utility r?jld!

Comment 2

[Pulsebot]

Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/00327c4fd622
Use more clone() flags for Utility r=gcp

Comment 3

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/00327c4fd622